Moin,

Sollte also jemand von Euch Exim verwenden und perl_startup drin haben und lokale Nutzer, denen er nicht vertraut, dann mal ein Update machen. Oder gucken, ob die Distribution eins liefert…

4.84.2 4.85.2 4.86.2

Die Distros sind schon seit Montag informiert, die Öffentlichkeit seit gestern.

Security fix for CVE-2016-1531 ==============================

All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (and this is normally *any* user) can gain root privileges.

New options -----------

We had to introduce two new configuration options:

keep_environment = add_environment =

Both options are empty per default. That is, Exim cleans the complete environment on startup. This affects Exim itself and any subprocesses, as transports, that may call other programs via some alias mechanisms, as routers (queryprogram), lookups, and so on.

** THIS MAY BREAK your existing installation **

If both options are not used in the configuration, Exim issues a warning on startup. This warning disappears if at least one of these options is used (even if set to an empty value).

keep_environment should contain a list of trusted environment variables. (Do you trust PATH?). This may be a list of names and REs.

keep_environment = ^LDAP_ : FOO_PATH

To add (or override) variables, you can use add_environment:

add_environment = <; PATH=/sbin:/usr/sbin

New behaviour -------------

Now Exim changes it's working directory to / right after startup, even before reading it's configuration. (Later Exim changes it's working directory to $spool_directory, as usual.)

Exim only accepts an absolute configuration file path now, when using the -C option.

Thank you for your understanding.

Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann